Efficient quantum key distribution with practical sources and detectors 
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We consider the security of a system of quantum key distribution (QKD) using only practical 
devices. Currently, attenuated laser pulses are widely used and considered to be the most practical 
light source. For the receiver of photons, threshold (or on/off) photon detectors are almost the only 
choice. Combining the decoy-state idea and the security argument based on the uncertainty princi- 
ple, we show that a QKD system composed of such practical devices can achieve the unconditional 
security without any significant penalty in the key rate and the distance limitation. 

PACS numbers: 03.67.Dd 03.67.-a 



Among various applications of quantum information, 
quantum key distribution (QKD) is believed to be the 
leading runner toward realization with today's technol- 
ogy. In QKD, the legitimate parties, the sender (Alice) 
and the receiver (Bob), do not need to use any inter- 
action among photons. It is even presumed that they 
do not need precise control over single photons either; 
We may substitute practical devices for the ideal single- 
photon source and ideal photon-number-resolving detec- 
tors. Currently, weak coherent-state pulses from conven- 
tional lasers are widely used as light sources, and the 
detection apparatus is normally composed of so-called 
threshold (or on/off) detectors, which just report the ar- 
rival of photons and do not tell how many of them have 
arrived. The main question arising here is, under such 
compromise on the hardware, whether we can preserve 
the main feature of QKD, the security against any at- 
tack under the law of quantum mechanics (unconditional 
security) . The first proof of such unconditional secu- 
rity under the uses of practical sources and detectors was 
given by Inamori et al. (ILM) but with a price of a 
significant performance drop (see Fig. |3 below). Since 
then, it has been a natural goal in the study of QKD 
to achieve the four conditions at the same time: (i) un- 
conditional security, (ii) practical sources, (lit) practical 
detectors, and (iv) high performance, namely, avoiding 
any significant performance drop from the ideal case. 

The main reason for the performance drop in the ILM 
result is the weakness against photon-number splitting 
(PNS) attacks One promising solution 0,0 to fight 
against the PNS attacks has recently been given by the 
combination of the decoy-state idea by Hwang |a] and 
a sophisticated security argument by GLLP From 
the GLLP argument, one obtains the key rate for the 
BB84 protocol 

G = -Qf{E)h{E)+Q(^'>[l-h{eS''>)l (1) 

where Q = X]„ Q^"^ is the rate of events where the light 
pulse leads to Bob's detection and passes the sifting pro- 



cess, and Q*-"-* is the contribution from the events where 
Alice's source has emitted n photons. E is the overall 
QBER (quantum bit error rate), and e(") is the QBER for 
the n-photon contribution, namely, QE = X^n Q^"''^*'"''- 
h{E) = -Elog^E- {l-E)\og2{l-E) is the binary en- 
tropy function and f{E) > 1 stands for the inefhciency 
in the error correction, which approaches unity in the 
asymptotic limit in principle. By randomly inserting de- 
coy states, i.e., pulses with different amplitudes, we ob- 
tain a good estimation of {Q'^^\e^^^), and as a result the 
key rate becomes close to the one with a single-photon 
source and photon-number-resolving detectors. We em- 
phasize here that the GLLP proof is based on an entan- 
glement distillation protocol 0, 0| , and hence assumes 
a detector that effectively squashes the input state into 
a qubit. This implies that the use of threshold detectors 
is not covered by the GLL P p roof. Most of other un- 
conditional security proofs [ij UM aimed at beating 
PNS attacks also fail to treat threshold detectors. One 
exception is the B92 protocol with an additional 
local oscillator (LO), but the practicality of using two 
LO's has yet to be tested in the experiment. 

In this paper, we report that this final piece of the 
puzzle has been solved by re-deriving the key rate formula 
(P) , or actually a slightly better oiie, by extending an idea 
in the simple security proofs [id Il7l | that do not rely on 
entanglement distillation protocols, but on an argument 
related to the uncertainty principle. As a result, it is 
shown that the four conditions (i)-(iv) mentioned above 
can be satisfied by a decoy-state BB84 QKD system. 

Alice's source — We assume that Alice uses a light 
source emitting a pulse (system C) in a weak coherent 
state, and that she randomizes its optical phase before 
she sends it to Bob. Let \n, 9)c be the state of n photons 
in a linear polarization with angle 6. Then, Alice's signal 
state is written as 

/)cW=^Mr>,^)cc('^,^|, (2) 

n 

where = e~'^^fi'^/nl is the Poissonian distribution with 
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FIG. 1: Bob's receiver with two threshold detectors, Do and 
Di. It is equivalent to a basis-independent filter (F) followed 
by a measurement {Mz or Mx)- 



mean fi. The angle of the polarization is chosen as 
6 = 9w,a according to her basis choice W = Z,X and 
her random bit a = 0, 1, where {9z,0:(^zs} — {0,7r/2} 
and {0x,o,9x,i} — {7r/4, 37r/4}. We will use a simplified 
notation |a|^'')c = \n, dw,a)c- AH we need in the security 



proof is the relation 



(|0i^^)c + (- 



(1) 



(3) 



which means that the single photon part corresponds to 
the ideal BB84 source, and the obvious fact that the vac- 
uum state is independent of W and a: 



\vac)c- 



(4) 



Instead of this actual source, we introduce an equiv- 
alent way of producing the same state pci0w,a) via an 
auxiliary qubit A. For any qubit, we will denote the Z 
basis as {|02),|lz)}, and the X basis as {|Ox),|lx)}, 
where \ax) = {\0z) + (-l)"|lz))/V2. First Alice draws 
a classical random variable n according to the probabil- 
ity distribution {/in}- Then she prepares her qubit A and 
the optical system C in state 

|<^)ac ^ {\Ow)a\0^w^)c + \1w)a\i'^'>)c)/V2. (5) 

Alice can determine her bit value a by measuring qubit 
A on the chosen basis W. Since this measurement can 
be done at any moment, we assume that it is postponed 
toward the end of the whole protocol. From Eq. we 
notice that the n — 1 state |$[^'')^c is independent of 
the chosen basis W, namely, 



(6) 



We can also use Eq. (0J to obtain a simple form for n — 0, 

\Ox)A\vac)c. (7) 
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Bob 's receiver — We assume that Bob uses a polariza- 
tion rotator, a polarization beam splitter, and two thresh- 
old detectors with the same efficiency rjd (see Fig.^. The 
dark count probabilities do and di need not be the same. 



Bob chooses his own basis W = Z,X, and set the ro- 
tator accordingly such that the polarization with angle 
0\Y',o and the orthogonal polarization 9w',i be split and 
directed to the two detectors. When neither of the detec- 
tors clicks, we say Bob's outcome is "failure" ("f"). All 
the other cases are called "detected" events, and Bob's 
outcome is a bit value b, determined according to which 
of the detector has clicked. When both detectors have 
clicked. Bob assigns a random value to b. Bob's VK-basis 
measurement is thus a three-outcome measurement with 
POVM {F^\Fj^\F^^}. The elements for the failure 
outcome can be written as 



z 



X 



= (l-d)^(l-7?,)"p„, 



(8) 



where P„ is the projector onto the subspace with ri pho- 
tons, and d = do + di — d^di is the probability for at 
least one of the detectors to have a dark count. Bob's 
VF-basis measurement is hence equivalently described by 
a basis independent filter F, which determines whether 
the outcome is failure or not, followed by two-outcome 
measurement M\y- 

Using the apparatuses just described, Alice sends out 
many pulses and Bob analyzes the pulses that arrive after 
a possible intervention by Eve. We place no restriction 
on the types of attack by Eve. Alice and Bob randomly 
chooses a small portion of events with W — W — Z and 
determine the rate Qz of detected events and the QBER 
Ez, which is the rate of events with a ^ b divided by 
Qz- In principle, Alice may have a record of the photon 
number n for each event, and the rate can be written as 
a sum over the contribution of each n as Qz = X^n Q'^z^ ' 



and similarly we have Ez = X]n9z*''6z'^ where e^''' is 
the QBER for the n-photon events and g^'' = Q^z^ IQz- 
These parameters can be estimated by the use of decoy 
states 0, 0, 0- We also define the AT-basis quantities 

Qxi Ex, Qx: \ fix'' ill a similar way. 

Suppose that after discarding the events used for the 
parameter estimation above, Alice and Bob are left with 
N detected events with W = W — Z. For simplicity, 
here we consider the limit of large N, and neglect the 
small fluctuations of the estimated parameters. Alice 
concatenates her bit a from each event to form an TV- 
bit key Z, and she calculates fc-bit final key /tgn = ZC, 
where C is a random vank-k N x k binary matrix. It 
is crucial in the proof that we define Alice's key to be 
the 'correct' one, and let Bob try to correct errors in his 
key to agree on Z. Since the QBER of Bob's A^-bit out- 
come in comparison to Alice's Z should be Ez, Bob's 
errors can be corrected through Nf{Ez)h{Ez) bits of 
communication between Alice and Bob. For simplicity, 
let us assume that this communication is encrypted by 
consuming the same length of previously shared secret 
key. The matrix C is made public by Alice, and is used 
by Bob to calculate Kfin- 
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FIG. 2: Three protocols for proving the security, (a) ^-basis 
detected events in the actual protocol, (b) Alice's final key 
Kfln is the same as in protocol (a), from Eve's point of view, 
(c) Bob tries to predict Alice's X-basis outcome X . 



The security of the final key can be proved by compar- 
ing the three protocols shown in Fig. [3 Protocol (a) is 
the actual protocol, and in the figure we have used the 
fact that Alice's bit a can be regarded as the outcome of 
Z-basis measurement on qubit A. In Protocol (b), Alice 
measures Kfin as in (a), but Bob's measurement Mz is 
replaced by Mx ■ Since Bob reveals the outcome of F but 
not the outcome of Mz in Protocol (a), Eve's knowledge 
about Alice's final key K,f^^ is the same in (a) and in (b). 

In Protocol (c), Alice's Z-basis measurements are fur- 
ther replaced by X-basis measurements. We ask how we 
can predict Alice's iV-bit outcome X from Bob's outcome 
X* and the recorded photon number n for each event. 
Let us divide the TV events into three groups, n — 0, 
n — 1^ and n > 2, where each group should consist of 
Nq^P ^ Nq^^\ and iV(l — q^p — q^P) events, respectively. 
For the n = group, Eq. ^ assures that Alice's out- 
come is always 0. For the n = 1 group, let us recall 
what Alice and Bob do in Protocol (c) from the begin- 
ning. Alice first prepares state and measures 
qubit A on X-basis. Bob conducts measurements F and 
Mx- We notice that, due to Eq. this is identical to 
the procedures taken by Alice and Bob in the parameter 
estimation with W — W = X and n — 1. Hence we 
can use elj'' as the estimation of the error rate between 
Alice and Bob for this group. Finally, for the n > 2 
group, we have no guarantee on the correlation between 



Alice and Bob. Combining these observations, we con- 
clude that, given X*, we can predict with a negligibly 
small error probability that X should belong to 2-'^^^+'^) 
candidates, where 



(9) 



The above fact is enough to prove the security of 
the final key Kfin when its length is chosen to be fc = 
N{1 — H — 2e). The sketch of proof is as follows (for a 
more comprehensive argument, see Ref. [l^). The ma- 
trix C can be equivalently determined by first choosing a 
random N x {N — k) matrix C", and then choosing C un- 
der the condition C^C — 0. This condition ensures that 
the {N — fc)-bit observable XC and the /c-bit observ- 
able Kfin = ZC commute. Hence in Protocol (b), Alice 
can insert the projection measurement for XC" before 
the measurement for Kfin, without causing any effect on 
the outcome of the latter. Note that the outcome XC 
is N{H + 2e)-bit random parity for X . Since we have 
already narrowed the possible values of X into 2^^^+'^) 
candidates by the knowledge of X*, the knowledge of 
XC' further narrows them down to a single candidate 
with a negligible error. This means that the state of Al- 
ice's N qubits just after the projection measurement for 
XC is an X-basis eigenstate. The final key Kgn is the 
outcome of a Z-basis measurement on this X-basis eigen- 
state, and hence Eve should have no information about 
it, namely, the final key is secure. 

In the asymptotic limit N oo, e can be set to 0, 
and the loss from the parameter estimation can be ne- 
glected. The key rate is thus given by Gz = Qz[^ — H — 
f{Ez)h{Ez)], and substituting Eq. © gives 



Gz = -Qzf{Ez)h{Ez) + Q^^^+Qi'\l-h{e^^^)]. (10) 



We can generate the secret key from W — W' — X events 
as well, with the rate Gx given by exchanging X and Z 
in Eq. 

In order to compare the derived key rate with the 
GLLP formula let us consider the case where Al- 
ice and Bob choose the basis X and Z randomly without 
any bias, and the available parameters are Q = Qz + Qx, 
Q(") = + Q^^\n = 0, 1), E = QzEz + QxEx, and 
)/2. Eqs. jnj and JHJ assure that we 



=(1) = {e^p 



.(1) 



^z ^ 

= Q^"* regardless of Eve's attack. The 
total key rate G = Gz + Gx then satisfies 



should have 



G > -Qf{E)h{E) + Q(") + Q(i)[1 - /i(e(i))], (11) 



(1) 



-X ■ 



where the equality holds when Ex — Ez and e 
We see that the new formula, which is valid under the use 
of threshold detectors, is the same as the GLLP formula 
except for a small improvement of the term Q^'^\ 
This term reflects the obvious fact that we do not need 
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is also helpful for allowing the use of practical devices 
in other protocols such as B92 [l^ and SARG04 
It is also interesting to ask whether the security proof 
based on the uncertainty principle can handle the QKD 
with two-way classical communications |^ , which is 
based on an idea tightly connected to the entanglement 
distillation. 

The author thanks N. Imoto, T. Yamamoto and 
Y. Adachi for helpful discussions. This work was sup- 
ported by a MEXT Grant-in-Aid for Young Scientists 
(B) 17740265. 



FIG. 3: The net key generation rate G (bits per pulse) vs 
distance. WCP and TD means that the curve is valid when 
weak coherent-state pulses and threshold detectors are used, 
respectively. Parameters used are from p^ : d = 1.7 x 10®, 
rid = 0.045, f{E) = 1.22, the fiber loss 0.21 db/km, and 3.3% 
of distance-independent contribution to the QBER. 



any privacy amplification for the vacuum contribution 
because Eve should have no clue about Alice's bit if she 
emits the vacuum. 

Figure 13 shows the key rate in the new proof as a func- 
tion of the distance, after optimization over the mean 
photon number fi of Alice's source. The parameters are 
borrowed from the experiment by Cobby et al. 0. We 
have also plotted the rate calculated from the previous 
argument (ILM) covering the use of threshold detec- 
tors. As a comparison, the rate for the ideal single- 
photon source and the rate based on GLLP argument 
|5| are plotted as broken curves. The small increase in 
the distance limit compared to the GLLP curve is due 
to the term Q^"-*- We emphasize here that our main re- 
sult is not this nominal increase but the fact that the 
new curve is valid for the use of threshold detectors. The 
improvement from the previous curve (ILM) under the 
same assumption is noteworthy. 

In summary, we have shown that even when we build a 
QKD system entirely from conventional and well-tested 
devices — pulsed lasers and threshold detectors, we can 
still enjoy the unconditional security without severe de- 
crease in the key rate and in the distance limit. It is also 
shown that the celebrated GLLP formula (with a slight 
improvement) can now be used for the receivers with 
threshold detectors. We hope that the present approach 
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